CVE-2025-13342
Published: 03 December 2025
Summary
CVE-2025-13342 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-13342 affects the Frontend Admin by DynamiApps plugin for WordPress in all versions up to and including 3.28.20. The vulnerability enables unauthorized modification of arbitrary WordPress options due to insufficient capability checks and input validation in the ActionOptions::run() save handler. It has been assigned CWE-862 (Missing Authorization) and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity stemming from network accessibility without authentication or user interaction.
Unauthenticated attackers can exploit this flaw by submitting crafted form data to public frontend forms provided by the plugin. Successful exploitation allows modification of critical WordPress options, such as users_can_register, default_role, and admin_email, potentially enabling attackers to create unauthorized administrator accounts, alter site registration settings, or redirect administrative notifications.
Mitigation details are outlined in advisories from Wordfence and the WordPress plugin trac repository, including changeset 3400432 which addresses the issue in the ACF Frontend Form Element. Security practitioners should update the plugin to a version beyond 3.28.20 and review any modified options on affected sites.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-200979
Vulnerability details
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler.…
more
This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated exploitation of a public-facing WordPress plugin (T1190) to modify options like users_can_register and default_role, facilitating local account creation with admin privileges (T1136.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations and capability checks to prevent unauthenticated attackers from modifying arbitrary WordPress options via the ActionOptions::run() handler.
Validates inputs to crafted form data submissions in the plugin's save handler, directly addressing the insufficient input validation that enables unauthorized option modifications.
Applies least privilege to restrict unauthenticated access, mitigating the missing capability checks that allow changes to critical options like users_can_register and default_role.